Netgear Authentication Bypass Allows Router Takeover

Microsoft researchers discovered the firmware flaws in the DGN-2200v1 series router that can enable authentication bypass to take over devices and access stored credentials.

Netgear has patched three bugs in one of its router families that, if exploited, can allow threat actors to bypass authentication to breach corporate networks and steal data and credentials.

Microsoft security researchers discovered the bugs in Netgear DGN-2200v1 series routers while they were researching device fingerprinting, Microsoft 365 Defender research team’s Jonathan Bar Or said in a blog post, posted Wednesday.

“We noticed a very odd behavior: A device owned by a non-IT personnel was trying to access a Netgear DGN-2200v1 router’s management port,” researchers wrote.

Researchers investigated and eventually identified the vulnerabilities, tracked as PSV-2020-0363, PSV-2020-0364 and PSV-2020-0365 by Netgear (CVEs were not issued), and which range in CVSS rating from high (7.4) to critical (9.4). They reported their discovery to Netgear, which has released a security advisory patching the flaws.

An attacker can exploit the flaws to breach a router’s management pages without having to log in, and take over the router, as well as use a cryptographic side-channel attack to acquire the router’s saved credentials, Bar wrote.

Full exploitation of the vulnerabilities “can compromise a network’s security — opening the gates for attackers to roam untethered through an entire organization,” he wrote.

Unpacking the Issue

Researchers downloaded the firmware for the device in question from Netgear’s website to explore why there was a random device trying to connect with the router’s management port. They observed that the anomalous communication used the standard port that HTTPd serves, so they chose to focus there to see where the problem might lie.

Researchers performed a static analysis of the HTTPd binary and dynamic analysis by running QEMU, an open-source emulator, among other tests to explore the issue, they said.

Eventually, while examining how HTTPd dictates which pages should be served without authentication, they found some “pseudo code” as the first page handling code inside HTTPd, automatically approving certain pages such as “form.css or “func.js.”

This in and of itself would not be a problem, Bar wrote, except “Netgear decided to use ‘strstr‘ to check if a page has .JPG, .GIF or ‘ess_’ substrings, trying to match the entire URL,” he said. This meant that researchers could access any page on the device, including those requiring authentication, “by appending a GET variable with the relevant substring (like ‘?.GIF”),” he wrote.

Bar used the example “hxxps://10[.]0[.]138/WAN_wan.htm?pic.gif” to demonstrate how researchers achieved “a complete and fully reliable authentication bypass.” In this way, researchers achieved “complete control over the router,” he said.

Exploring Router Authentication

After that, researchers decided to dive even deeper to see how the authentication was implemented, finding that router credentials also could be gained using a side-channel attack, they said.

Moreover, they went on to use the first authentication-bypass vulnerability to see if they could recover the user name and password used by the router by another existing weakness, focusing on the device’s backup and restore feature. By reverse-engineering the functionality, they found that they could, Bar wrote.

“After some preparatory steps, the contents are DES-encrypted with a constant key ‘NtgrBak,'” he wrote. “This allows an attacker to get the plaintext password (which is stored in the encrypted NVRAM) remotely. The user name, which can very well be variations of ‘admin,’ can be retrieved the same way.”

“With this research, we have shown how a simple anomalous connection to a router, found through the endpoint discovery service, drove us to find several vulnerabilities on a popular router,” Bar wrote in the post. “Routers are integral to networking, so it is important to secure the programs supporting its functions.”

The vulnerabilities aren’t the first time Netgear routers have had authentication flaws, allowing attackers to use them as an entry point into the wider network. About a year ago researchers discovered an unpatched zero-day vulnerability in firmware that put 79 Netgear device models at risk for full takeover. Moreover, the company chose to leave 45 of those models unpatched because they were outdated or had reached their end of life.

Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.






Suggested articles